Valid configuration for IKEv2 VPN for iOS and OSX

Derelict

What macOS server lacks is the RADIUS bits to do EAP.

As far as I know you can't do EAP to LDAP.

EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.

It has been a while since I tried any of this.

SpaceBass

@Derelict:

What macOS server lacks is the RADIUS bits to do EAP.

As far as I know you can't do EAP to LDAP.

EAP-RADIUS works to a FreeRADIUS server, just not to macOS RADIUS as it is configured. You might be able to get it to work using a FreeRADIUS server backed by macOS LDAP for username/password but I have not tried it.

It has been a while since I tried any of this.

Thanks Derelict,

In my case this is macOS Server 10.12

Makes sense that EAP can’t do ldap.

Is there a way to do xauth agains LDAP with Apple clients? It seems Apple clients only send user credentials as an EAP auth.

Or if I stick with EAP - I’d love to hear if anyone knows how to (re)configure macOS server’s freeradius 2.2.x to support the MSK payload

Derelict

The problem isn't really Apple clients, it is the macOS server backend.

I am about ready to give up on it here.

imushroom

Hey,

i want to reply to this old topic because I have some problems connecting.

When I Try to connected the message appears, that there is an authorization error.

Is here any way to debug the connection establishment?

Have to ADD:

I am trying this with OSX 10.14.1
and pFSense latest stable build

imushroom

Here something from my log... On mAc OSX is no log for ikev2 connections available.

Pls Someone help me.....

Dec 23 18:28:39 charon 12[CFG] vici client 34 disconnected
Dec 23 18:28:39 charon 12[CFG] vici client 34 requests: list-sas
Dec 23 18:28:39 charon 13[CFG] vici client 34 registered for: list-sa
Dec 23 18:28:39 charon 13[CFG] vici client 34 connected
Dec 23 18:28:35 charon 13[CFG] vici client 33 disconnected
Dec 23 18:28:35 charon 13[CFG] vici client 33 requests: list-sas
Dec 23 18:28:35 charon 12[CFG] vici client 33 registered for: list-sa
Dec 23 18:28:35 charon 14[CFG] vici client 33 connected
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> IKE_SA bypasslan[6] state change: CONNECTING => DESTROYING
Dec 23 18:28:15 charon 12[NET] <bypasslan|6> sending packet: from xxx.xxx.xxx.xx[4500] to xx.xxx.xxx.xx[2324] (80 bytes)
Dec 23 18:28:15 charon 12[ENC] <bypasslan|6> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> peer supports MOBIKE
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing (25) attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_DNS attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_DHCP attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP6_ADDRESS attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_NETMASK attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_DNS attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_DHCP attribute
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> processing INTERNAL_IP4_ADDRESS attribute
Dec 23 18:28:15 charon 12[CFG] <bypasslan|6> no alternative config found
Dec 23 18:28:15 charon 12[IKE] <bypasslan|6> peer requested EAP, config unacceptable
Dec 23 18:28:15 charon 12[CFG] <bypasslan|6> selected peer config 'bypasslan'
Dec 23 18:28:15 charon 12[CFG] <6> ignore candidate 'con-mobile' without matching IKE proposal
Dec 23 18:28:15 charon 12[CFG] <6> candidate "con-mobile", match: 20/1/1052 (me/other/ike)
Dec 23 18:28:15 charon 12[CFG] <6> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Dec 23 18:28:15 charon 12[CFG] <6> looking for peer configs matching xx.xxx.xxx.xx[xxxx.dyndns.org]...xx.xxx.xxx.xx[tobi]
Dec 23 18:28:15 charon 12[IKE] <6> received cert request for "CN=xxxxxxx.dyndns.org, C=DE, ST=xxxx, L=xxxx, O=Private"
Dec 23 18:28:15 charon 12[ENC] <6> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CERTREQ CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Dec 23 18:28:15 charon 12[ENC] <6> unknown attribute type (25)
Dec 23 18:28:15 charon 12[NET] <6> received packet: from xx.xxx.xxx.xx[2324] to xx.xxx.xxx.xx[4500] (384 bytes)
Dec 23 18:28:15 charon 12[NET] <6> sending packet: from xx.xxx.xxx.xx[500] to xx.xxx.xxx.xx[500] (313 bytes)
Dec 23 18:28:15 charon 12[ENC] <6> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Dec 23 18:28:15 charon 12[IKE] <6> sending cert request for "CN=internalVPNCA, C=DE, ST=xxxxx, L=xxxxx, O=Private"
Dec 23 18:28:15 charon 12[IKE] <6> remote host is behind NAT
Dec 23 18:28:15 charon 12[CFG] <6> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 23 18:28:15 charon 12[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> proposal matches
Dec 23 18:28:15 charon 12[CFG] <6> selecting proposal:
Dec 23 18:28:15 charon 12[IKE] <6> no matching proposal found, trying alternative config
Dec 23 18:28:15 charon 12[CFG] <6> candidate: xx.xxx.xxx.xx...%any, prio 1052
Dec 23 18:28:15 charon 12[CFG] <6> candidate: %any...%any, prio 24
Dec 23 18:28:15 charon 12[CFG] <6> looking for IKEv2 configs for xx.xxx.xxx.xx...xx.xxx.xxx.xx
Dec 23 18:28:15 charon 12[CFG] <6> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_384/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
Dec 23 18:28:15 charon 12[CFG] <6> no acceptable ENCRYPTION_ALGORITHM found
Dec 23 18:28:15 charon 12[CFG] <6> selecting proposal:
Dec 23 18:28:15 charon 12[IKE] <6> IKE_SA (unnamed)[6] state change: CREATED => CONNECTING

Derelict

@imushroom said in Valid configuration for IKEv2 VPN for iOS and OSX:

ignore candidate 'con-mobile' without matching IKE proposal

Probably be better off posting a new thread. The forum tried to warn you. When you do post your IKEv2mobile configuration.

Konstanti

@imushroom Hey
Create a new thread and I'll write there what to do
Show the phase 1 and phase 2 IPSEC PFSense settings there and install Apple Configurator 2 from the App Store
or
https://wiki.strongswan.org/projects/strongswan/wiki/AppleClients
https://wiki.strongswan.org/projects/strongswan/wiki/AppleIKEv2Profile

imushroom

Hey,

@Konstanti thanks for your reply. I try to find time after the holidays to create a new topic.

I already installed the Apple Configurator 2.

Konstanti

This post is deleted!

Konstanti

@imushroom Hope this helps you
https://grokdesigns.com/pfsense-ikev2-for-ios-macos-1/

All well-written
Part three - how to use Apple Configurator

paulholloway2019

@shpokas said in Valid configuration for IKEv2 VPN for iOS and OSX:

This hint worked for me, on both IOS and OS X.
https://lists.strongswan.org/pipermail/users/2015-October/008842.html

For details on my setup, please see https://forum.cheapessaywriter.org/index.php?topic=106694.0

Thank you for the link. Helped me to find a solution to my dns settings on ios.

imushroom

After month of a working vpn my HDD was destroyed and I had no backup, I used the bad thing to turn it into something good - a clean pfSense and a perfect setup.

But now I have some trouble with the Encryption.

I currently use for phase 1 :

AES 256bits SHA384 DH:20

And for Phase 2 :

AES 256bits SHA384 DH:20

Is this secure enough?

When I try to follow the tutorial it doesnt work. The Hash algorithm is also grey in Apple Configurator when I chose AES-256 GCM.

Where is my mistake?